FBI: Email swindlers have now redirected as much as $12bn in payments

The FBI’s IC3 unit is warning that email swindling scams, known as business email compromise, have now conned businesses and individuals to wire $12.5 billion to scammer accounts in the last five years.

According to IC3, the value of reported losses to BEC scams have more than doubled between December 2016 and May 2018 and they’re happening to victims in all 50 states in the US and in 150 countries.

Now IC3 is calling BEC — where fraudster’s study a target and compromise email accounts of CEOs or finance administrators to orchestrate misdirected transfers— a”12 billion dollar scam” . That’s still smaller than Symantec's 2017 estimate of the cost of cybercrime to consumers of $172 billion.

The new figures nonetheless mark a massive increase IC3’s November 2017 BEC update where it reported total worldwide “exposed losses” at $5.3 billion and 40,203 victims in the US and abroad.

Exposed losses include actual and attempted scams in the US, so actual losses may be smaller assuming all instances of BEC fraud are known to the FBI.

“Last week’s FBI announcement that business email compromise attacks have resulted in more than $12.5 billion in losses worldwide shines a necessary light on the real-world financial impact that email fraud and account compromise can have on organizations,” Tim Bentley, vice president of Proofpoint APJ, told CSO Online.

Bentley said that many BEC incidents are underreported or unreported each year.

“These new figures compound our recent research findings that email fraud attacks hit more than 90% of organizations in the first three months of this year and the total number rose 103% year-over-year,” he said,

Exposed losses is based on BEC complaints to law enforcement and reports from financial institutions made between October 2013 and May 2018. Domestic and international complaints about BEC have climbed to 78,617

Losses reported directly from victims of BEC fraud were significantly less, but represent a massive windfall for BEC perpetrators. Between June 2016 to May 2018 victims reported to IC3 that BEC fraudsters conned them into sending $1.6 billion to 19,335 accounts. There were also 11,452 fraudsters outside the US who received $1.7 billion.

Some of those fraudsters were arrested in June following a six month investigation by the FBI, which netted 42 alleged BEC fraudsters in the US, 29 in Nigeria, and three in Canada, Mauritius and Poland.

BEC scammers have shown a preference for real estate businesses, which may be due to the large sums involving multiple parties, including the real estate agents, lawyers, title companies and buyers and sellers.

The scam against real estate parties is simple. After compromising one of the parties’ email accounts, the victim receives an email request to transfer the money to fraudster’s account, often in the US but primarily to accounts at Chinese and Kong Kong banks. The fraudster quickly withdraws the money from ATMs after receiving funds to a US account, and then shuts the account to frustrate investigations.

US-based money mules are often recruited to participate in real estate BEC fraud by opening their own accounts for receiving BEC funds. Surprisingly, they’re often recruited through romance scams.

BEC scams targeting the real estate sector are on the rise. "From calendar year 2015 to calendar year 2017, there was over an 1100% rise in the number of BEC/EAC victims reporting the real estate transaction angle and an almost 2200% rise in the reported monetary loss," said IC3.

“BEC attackers prefer the low-tech attack as it's much easier to navigate than hacking into a targeted organization’s infrastructure,” said Bentley.

“No matter what an organization’s security architecture looks like, attackers are adept at using two of the most powerful information tools of our era—LinkedIn and Google—to conduct reconnaissance on potential individuals to target. Exploiting the email communication channel through highly personalized, social engineering messages allows them to easily impersonate a trusted employee or partner,” he said.

The FBI warned real-estate parties to identify a BEC scam by all parties verifing any request for change in payment type or location, for example changes from check to a wire transfer.

It also advises real-estate agents against revealing email address in property listings which could give BEC fraudster vital details to begin the con. One of the largest known Australian instances of BEC affair resulted in Brisbane City Council wiring $450,000 in 9 payments to an account they believed was a supplier.

Real-estate agents also need to be wary of phone calls from imposters seeking personal information for supposed verification purposes.

“Financial institutions report phone calls acknowledging a change in payment type and/or location. Some victims report they were unable to distinguish the fraudulent phone conversation from legitimate conversations. One way to counter act this fraudulent activity, is to establish code phrases that would only be known to the two legitimate parties, IC3 notes.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.